Date: Wed, 21 Oct 1998 00:15:12 -0700 (PDT)
From: Kevin Vajk <[email protected]>
To: David Luyer <[email protected]>
Subject: Re: buffer overflow in netkit rwhod/Debian netstd-3.07-2hamm.2
Cc: [email protected]
This message is in MIME format. The first part should be readable text,
while the remaining parts are likely unreadable without MIME-aware tools.
Send mail to [email protected] for more info.
---1463811834-2088382526-908954112=:4807
Content-Type: TEXT/PLAIN; charset=US-ASCII
On Wed, 21 Oct 1998, David Luyer wrote:
> There's a (sort-of exploitable as DoS, possibly exploitable in more interesting
> ways[1] but unlikely) buffer overflow in rwhod (netkit-rwho-0.10/rwhod in Debian
> netstd-3.07-2hamm.2).
Neat... If we're gonna be changing rwhod, let's also improve the
verify function by lifting the OpenBSD version, since it checks for things
that our one doesn't. (Nothing directly exploitable, per se.)
In particular, the OpenBSD version will reject a hostname whose first
character is a "-", which could trip up any poorly written scripts which
try to parse this stuff.
I've written up an example patch on a RedHat system. It's not The Real
Thing since I haven't tested it at all yet. (All I've verified is that it
compiles, really.)
Maybe you want to play with this a little?
- Kevin Vajk
<[email protected]>
---1463811834-2088382526-908954112=:4807
Content-Type: TEXT/PLAIN; charset=US-ASCII; name="netkit-rwho-0.10-overflow.patch"
Content-Transfer-Encoding: BASE64
Content-ID: <[email protected]>
Content-Description: netkit-rwho-0.10-overflow.patch
ZGlmZiAtZCAtciAtdSAtUCBuZXRraXQtcndoby0wLjEwLm9yaWcvcndob2Qv
cndob2QuYyBuZXRraXQtcndoby0wLjEwL3J3aG9kL3J3aG9kLmMNCi0tLSBu
ZXRraXQtcndoby0wLjEwLm9yaWcvcndob2Qvcndob2QuYwlTdW4gSnVuICA4
IDE4OjI0OjE3IDE5OTcNCisrKyBuZXRraXQtcndoby0wLjEwL3J3aG9kL3J3
aG9kLmMJV2VkIE9jdCAyMSAwMDowNDowNyAxOTk4DQpAQCAtOTMsNyArOTMs
NyBAQA0KICNlbmRpZg0KIA0KIHN0YXRpYyBpbnQgY29uZmlndXJlKGludCBz
KTsNCi1zdGF0aWMgaW50IHZlcmlmeShjb25zdCBjaGFyICpuYW1lKTsNCitp
bnQgdmVyaWZ5KGNoYXIgKnApOw0KIHN0YXRpYyBpbnQgZ2V0bG9hZGF2Zyhk
b3VibGUgcHRyWzNdLCBpbnQgbik7DQogDQogLyoNCkBAIC0xOTAsNyArMTkw
LDggQEANCiAJfQ0KIAlpZiAoKGNwID0gaW5kZXgobXluYW1lLCAnLicpKSAh
PSBOVUxMKQ0KIAkJKmNwID0gJ1wwJzsNCi0Jc3RybmNweShteXdkLndkX2hv
c3RuYW1lLCBteW5hbWUsIHNpemVvZiAobXluYW1lKSAtIDEpOw0KKwlzdHJu
Y3B5KG15d2Qud2RfaG9zdG5hbWUsIG15bmFtZSwgc2l6ZW9mKG15d2Qud2Rf
aG9zdG5hbWUpIC0gMSk7DQorCW15d2Qud2RfaG9zdG5hbWVbc2l6ZW9mKG15
d2Qud2RfaG9zdG5hbWUpIC0gMV0gPSAnXDAnOw0KIAlnZXRrbWVtKDApOw0K
IAlpZiAoKHNrID0gc29ja2V0KEFGX0lORVQsIFNPQ0tfREdSQU0sIDApKSA8
IDApIHsNCiAJCXN5c2xvZyhMT0dfRVJSLCAic29ja2V0OiAlbSIpOw0KQEAg
LTIwMCw2ICsyMDEsNyBAQA0KIAkJc3lzbG9nKExPR19FUlIsICJzZXRzb2Nr
b3B0IFNPX0JST0FEQ0FTVDogJW0iKTsNCiAJCWV4aXQoMSk7DQogCX0NCisJ
bWVtc2V0KCZzaW5lLCAwLCBzaXplb2Yoc2luZSkpOw0KIAlzaW5lLnNpbl9m
YW1pbHkgPSBBRl9JTkVUOw0KIAlzaW5lLnNpbl9wb3J0ID0gc3AtPnNfcG9y
dDsNCiAJaWYgKGJpbmQoc2ssIChzdHJ1Y3Qgc29ja2FkZHIgKikmc2luZSwg
c2l6ZW9mKHNpbmUpKSA8IDApIHsNCkBAIC0yODQsMTcgKzI4NiwzMiBAQA0K
ICAqIGFuZCBvdGhlciBmdW5uaWVzIGJlZm9yZSBhbGxvd2luZyBhIGZpbGUN
CiAgKiB0byBiZSBjcmVhdGVkLiAgU29ycnksIGJ1dCBibGFua3MgYXJlbid0
IGFsbG93ZWQuDQogICovDQotc3RhdGljIGludA0KLXZlcmlmeShjb25zdCBj
aGFyICpuYW1lKQ0KK2ludA0KK3ZlcmlmeShwKQ0KKwlyZWdpc3RlciBjaGFy
ICpwOw0KIHsNCi0JcmVnaXN0ZXIgaW50IHNpemUgPSAwOw0KKwljaGFyIGM7
DQogDQotCXdoaWxlICgqbmFtZSkgew0KLQkJaWYgKCFpc2FzY2lpKCpuYW1l
KSB8fCAhKGlzYWxudW0oKm5hbWUpIHx8IGlzcHVuY3QoKm5hbWUpKSkNCi0J
CQlyZXR1cm4gKDApOw0KLQkJbmFtZSsrLCBzaXplKys7DQorCS8qDQorCSAq
IE1hbnkgcGVvcGxlIGRvIG5vdCBvYmV5IFJGQyA4MjIgYW5kIDEwMzUuICBU
aGUgdmFsaWQNCisJICogY2hhcmFjdGVycyBhcmUgYS16LCBBLVosIDAtOSwg
Jy0nIGFuZCAuIEJ1dCB0aGUgb3RoZXJzDQorCSAqIHRlc3RlZCBmb3IgYmVs
b3cgY2FuIGhhcHBlbiwgYW5kIHdlIG11c3QgYmUgbW9yZSBwZXJtaXNzaXZl
DQorCSAqIHRoYW4gdGhlIHJlc29sdmVyIHVudGlsIHRob3NlIGlkaW90cyBj
bGVhbiB1cCB0aGVpciBhY3QuDQorCSAqLw0KKwlpZiAoKnAgPT0gJy4nIHx8
ICpwID09ICctJykNCisJCXJldHVybiAwOw0KKwl3aGlsZSAoKGMgPSAqcCsr
KSkgew0KKwkJaWYgKCgnYScgPD0gYyAmJiBjIDw9ICd6JykgfHwNCisJCSAg
ICAoJ0EnIDw9IGMgJiYgYyA8PSAnWicpIHx8DQorCQkgICAgKCcwJyA8PSBj
ICYmIGMgPD0gJzknKSkNCisJCQljb250aW51ZTsNCisJCWlmIChjID09ICcu
JyAmJiAqcCA9PSAnLicpDQorCQkJcmV0dXJuIDA7DQorCQlpZiAoYyA9PSAn
LicgfHwgYyA9PSAnLScpDQorCQkJY29udGludWU7DQorCQlyZXR1cm4gMDsN
CiAJfQ0KLQlyZXR1cm4gc2l6ZSA+IDA7DQorCXJldHVybiAxOw0KIH0NCiAN
CiANCkBAIC0zMTIsNiArMzI5LDcgQEANCiAJc3RydWN0IHV0bXAgKnVwdHI7
DQogCWRvdWJsZSBhdmVucnVuWzNdOw0KIAl0aW1lX3Qgbm93ID0gdGltZShO
VUxMKTsNCisJaW50IGxlbjsNCiANCiAJKHZvaWQpZHVtbXk7DQogDQpAQCAt
MzMwLDEwICszNDgsMjQgQEANCiAJCXdoaWxlICgodXB0ciA9IGdldHV0ZW50
KCkpIT1OVUxMKSB7DQogCQkJaWYgKHVwdHItPnV0X25hbWVbMF0NCiAJCQkm
JiB1cHRyLT51dF90eXBlID09IFVTRVJfUFJPQ0VTUykgew0KKw0KKwkJCQlp
ZihzaXplb2YodXB0ci0+dXRfbGluZSkgPA0KKwkJCQkJCXNpemVvZih3ZS0+
d2VfdXRtcC5vdXRfbGluZSkpIHsNCisJCQkJCWxlbiA9IHNpemVvZih1cHRy
LT51dF9saW5lKTsNCisJCQkJfSBlbHNlIHsNCisJCQkJCWxlbiA9IHNpemVv
Zih3ZS0+d2VfdXRtcC5vdXRfbGluZSk7DQorCQkJCX0NCiAJCQkJYmNvcHko
dXB0ci0+dXRfbGluZSwgd2UtPndlX3V0bXAub3V0X2xpbmUsDQotCQkJCSAg
IHNpemVvZih1cHRyLT51dF9saW5lKSk7DQotCQkJCWJjb3B5KHVwdHItPnV0
X25hbWUsIHdlLT53ZV91dG1wLm91dF9uYW1lLA0KLQkJCQkgICBzaXplb2Yo
dXB0ci0+dXRfbmFtZSkpOw0KKwkJCQkgICBsZW4pOw0KKw0KKwkJCQlpZihz
aXplb2YodXB0ci0+dXRfbmFtZSkgPA0KKwkJCQkJCXNpemVvZih3ZS0+d2Vf
dXRtcC5vdXRfbmFtZSkpIHsNCisJCQkJCWxlbiA9IHNpemVvZih1cHRyLT51
dF9uYW1lKTsNCisJCQkJfSBlbHNlIHsNCisJCQkJCWxlbiA9IHNpemVvZih3
ZS0+d2VfdXRtcC5vdXRfbmFtZSk7DQorCQkJCX0NCisJCQkJYmNvcHkodXB0
ci0+dXRfbmFtZSwgd2UtPndlX3V0bXAub3V0X25hbWUsIGxlbik7DQorDQog
CQkJCXdlLT53ZV91dG1wLm91dF90aW1lID0gaHRvbmwodXB0ci0+dXRfdGlt
ZSk7DQogCQkJCWlmICh3ZSA+PSB3bGFzdCkNCiAJCQkJCWJyZWFrOw0K
---1463811834-2088382526-908954112=:4807--